[linux-elitists] EU STOS: State of the Art in COMINT, NSA crypto backdoors

Karsten M. Self kmself@ix.netcom.com
Wed Sep 19 23:51:38 PDT 2001

The following topic arose today at the History of GNU/Linux presentation
at Moffet Field.

I picked up the following from the OpenBSD mailing list.

On page 34 of "The State of the Art in COMINT" (October, 1999) is a
section titled "Workfactor Reduction".  


    "Workfactor reduction"; the subversion of cryptographic systems 

    39. From the 1940s to date, NSA has undermined the effectiveness of
    cryptographic systems made or used in Europe.  The most important
    target of NSA activity was a prominent Swiss manufacturing company,
    Crypto AG.  Crypto AG established a strong position as a supplier of
    code and cypher systems after the second world war.  Many
    governments would not trust products offered for sale by major
    powers. In contrast, Swiss companies in this sector benefited from
    Switzerland's neutrality and image of integrity.

    40. NSA arranged to rig encryption systems sold by Crypto AG,
    enabling UKUSA agencies to  read the coded diplomatic and military
    traffic of more than 130 countries.   NSA's covert intervention was
    arranged through the company's owner and founder Boris Hagelin, and
    involved periodic visits to Switzerland by US "consultants" working
    for NSA. One was Nora L MacKabee, a career NSA employee. A US
    newspaper obtained copies of confidential Crypto AG documents
    recording Ms Mackebee's attendance at discussion meetings in 1975 to
    design a new Crypto AG machine".92

    41. The purpose of NSA's interventions were to ensure that while its
    coding systems should appear secure to other cryptologists, it was
    not secure.  Each time a machine was used, its users would select a
    long numerical key, changed periodically.  Naturally users wished to
    selected their own keys, unknown to  NSA. If Crypto AG's machines
    were to appear strong to outside testers, then its coding system
    should work, and actually be strong.  NSA's solution to this
    apparent condundrum was to design the machine so that it broadcast
    the key it was using to listeners.  To prevent other listeners
    recognising what was happening, the key too had also to be sent in
    code  - a different code, known only to NSA.  Thus, every time NSA
    or GCHQ intercepted a message sent using these machines, they would
    first read their own coded part of the message, called the
    "hilfsinformationen" (help information field) and extract the key
    the target was using.  They could then read the message itself as
    fast or even faster than the intended recipient 93

    42. The same technique was re-used in 1995, when NSA became
    concerned about cryptographic security systems being built into
    Internet and E-mail software by Microsoft,  Netscape and Lotus.  The
    companies agreed to adapt their software to reduce the level of
    security provided to users outside the United States.  In the case
    of Lotus Notes, which includes a secure e-mail system, the built-in
    cryptographic system uses a 64 bit encryption key.  This provides a
    medium level of  security, which might at present only be broken by
    NSA in months or years. 

    43. Lotus built in an NSA "help information" trapdoor to its Notes
    system, as the Swedish government discovered to its embarrassment in
    1997. By then, the system was in daily use for confidential mail by
    Swedish MPs, 15,000 tax agency staff and 400,000 to 500,000
    citizens.  Lotus Notes incorporates a "workfactor reduction field"
    (WRF)  into all e-mails sent by non US users of the system.  Like
    its predecessor the Crypto AG "help information  field" this device
    reduces NSA's difficulty in reading European and other e-mail from
    an almost intractable problem to a few  seconds work.  The WRF
    broadcasts 24 of the 64 bits of the key used for each communication.
    The WRF is encoded, using a "public key" system which can only be
    read by NSA.  Lotus, a subsidiary of IBM, admits this.  The company
    told Svenska Dagbladet:

	"The difference between the American Notes version and the
	export version lies in  degrees of encryption.  We deliver 64
	bit keys to all customers, but 24 bits of those in the version
	that we deliver outside of the United States are deposited with
	the American government". 94

    44. Similar arrangements are built into all export versions of the
    web "browsers" manufactured by Microsoft and Netscape.  Each uses a
    standard 128 bit key.  In the export version, this key is not
    reduced in length.  Instead, 88  bits of the key are broadcast with
    each message; 40 bits remain secret.  It follows that almost every
    computer in Europe has, as a built-in standard feature, an NSA
    workfactor reduction system to enable NSA (alone) to break the
    user's code and read secure messages. 

    45. The use of powerful and  effective encryption systems will
    increasingly restrict the ability of Comint agencies to process
    collected intelligence.  "Moore's law" asserts that the cost of
    computational power halves every 18 months.  This affects both the
    agencies and their  targets.  Cheap PCs can now efficiently perform
    complex mathematical calculations need for effective cryptography.
    In the  absence of new discoveries in physics or mathematics Moore's
    law favours codemakers, not codebreakers.

For general information:


Karsten M. Self <kmself@ix.netcom.com>        http://kmself.home.netcom.com/
 What part of "Gestalt" don't you understand?              Home of the brave
  http://gestalt-system.sourceforge.net/                    Land of the free
   Free Dmitry! Boycott Adobe! Repeal the DMCA!  http://www.freesklyarov.org
Geek for Hire                      http://kmself.home.netcom.com/resume.html

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://allium.zgp.org/pipermail/linux-elitists/attachments/20010919/d33c74d7/attachment.pgp 

More information about the linux-elitists mailing list